MacInTouch Amazon link...

malware and security

Channels
Security

Ric Ford

MacInTouch
Keyword here is "targetted" -- almost always a very small population of users, usually running legacy systems and software who are unlikely to be frequenting this forum or running Malwarebytes (or any other modern anti-malware software) on their Macs.
Not a "very small population" in the case of this "targeted" group (although iPhones were compromised rather than Macs):
Google said:
A very deep dive into iOS Exploit chains found in the wild
... Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.
(The attacks also infected non-targeted visitors to the malicious "watering hole" websites and infected Android and Windows systems, as well, though perhaps not Macs, which are probably scant in the targeted population.)
 


Not a "very small population" in the case of this "targeted" group (although iPhones were compromised rather than Macs):
Google said:
A very deep dive into iOS Exploit chains found in the wild
... Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.
(The attacks also infected non-targeted visitors to the malicious "watering hole" websites and infected Android and Windows systems, as well, though perhaps not Macs, which are probably scant in the targeted population.)
Impossible to judge the size of the population, since they purposely avoided telling us what the watering hole websites were and what groups were expected to frequent them. The fact that iPhones were attacked isn’t really material, as the same vector has been, and almost certainly is today being, used against most all platforms. And certainly the watering hole method will always net more non-targeted visitors as compared with other types of directly targetted group attacks.

But depending upon the intended (malicious?) purpose, is there really a danger to those non-targetted visitors? Were their iPhones or their data actually compromised or did the user do something they normally wouldn’t do (like vote for a certain individual)? It’s never a good thing to have one’s digital device compromised in any manner, but I can’t judge the metrics (probability of compromise, severity, etc.) without more non-technical detail.
 


Bleeping Computer said:
... OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Hmm, that may be one notch too scary. OpenSMTPd's portable version will work on these system types, if you install it. It's not installed by default on most of them. For example, standard macOS includes and uses Postfix to fill this role.

I certainly agree with the larger point, though - OpenSMTPd is a great example of software that was developed by some quite security-conscious people and then further audited externally, and holes still creep in. Software is incredibly complex..
 


Ric Ford

MacInTouch
This one is bad and carries the highest severity rating – a zero-day vulnerability in Zyxel NAS devices that can be remotely exploited, and the exploit is being actively sold to criminals....
Here are the latest extreme vulnerabilities in Zyxel products – firewalls in this case, some of which won't even be patched...
Brian Krebs said:
Zyxel 0day Affects its Firewall Products, Too — Krebs on Security
This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000. Alex Holden, the security expert who first spotted the code for sale, said at the time the vulnerability was so “stupid” and easy to exploit that he wouldn’t be surprised to find other Zyxel products were similarly affected. Now it appears Holden’s hunch was dead-on.

“We’ve now completed the investigation of all Zyxel products and found that firewall products running specific firmware versions are also vulnerable,” Zyxel wrote in an email to KrebsOnSecurity.

... CERT’s advisory on the flaw rate this vulnerability at a “10” — its most severe. My advice? If you can’t patch it, pitch it. The zero-day sales thread first flagged by Holden also hinted at the presence of post-authentication exploits in many Zyxel products, but the company did not address those claims in its security advisories.

... Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.
 


Ric Ford

MacInTouch
Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Dan Goodin/Ars Technica said:
Flaw in billions of Wi-Fi devices left communications open to eavesdropping
Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.

The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter whose Wi-Fi business was acquired by Cypress in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.

Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.
BleepingComputer said:
Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets.

... Given that Broadcom chips are used in most WiFi gadgets and those from Cypress are preferred IoT makers, it is safe to assume that at the time of the discovery Kr00k impacted at least one billion devices.

Prior to patching, ESET found that the following devices were vulnerable to Kr00k:
  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S
  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321
... Full details about Kr00k are available on a dedicated page as well as in a technical paper authored by Miloš Čermák, Štefan Svorenčík and Robert Lipovský, in collaboration with Ondrej Kubovič.
 


Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Two comments about this:

1. Any data using an encrypted socket (e.g. an HTTPS connection) will still be secure, even if someone is exploiting this vulnerability. Being able to snoop your packets will only let an attacker view plaintext traffic.​
2. You should never be doing anything sensitive (including entering passwords) on non-encrypted connections, with or without this bug. Wi-Fi encryption only protects the link from your computer to the access point, whereas a secure socket will protect the entire path to the remote server.​

Of course, this is a serious bug, but it should be of minimal consequence for people who are careful to not use insecure connections for sensitive data.
 


Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Note that the article states Apple addressed the issue with releases of macOS Catalina 10.15.1 and iOS/iPadOS 13.2 [but] apparently did nothing for Sierra/High Sierra, other iDevices or base stations.

It's not really clear to me exactly how much data can be decrypted due to the flaw.
 


Here's some more perspective of how bad Mac malware is becoming, and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?
As speculated, this was the same Lazarus malware that Patrick blogged about back in early December. He published the technical presentation given at the RSA Conference in his blog today:
Objective-See said:
 



Here are the latest extreme vulnerabilities in Zyxel products – firewalls in this case, some of which won't even be patched...
I'm curious about something. Does this Zyxel vulnerability extend to their line of internet DSL modem/routers? My former ISP was Century Link, and they use a customized Zyxel modem for their DSL service up to ~ 30 Mbps and maybe faster (used the VDSL protocol). There must be many tens or hundreds of thousands of those out there...

My unit was a C1100Z modem router, in service for 3 years.
 


[FYI]
Thomas Reed/Malwarebytes said:
Mac adware is more sophisticated and dangerous than traditional Mac malware

As the data revealed in our State of Malware reportshowed, Mac threats are on the rise, but they are not the same type of threats experienced by Windows users. Most notably, more traditional forms of malware, such as ransomware, spyware, and backdoors account for over 27 percent of all Windows threats. That figure is less than 1 percent for Macs.

Further, Mac malware is rather unsophisticated overall. The remaining 99+ percent of Mac threats are “just” adware and potentially unwanted programs (PUPs). This has led some in the Mac community to dismiss these findings as unimportant, even leading one Mac blogger to write:
“Macs don’t get viruses” is a statement that is still overwhelmingly true.
However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.
 


I'm curious about something. Does this Zyxel vulnerability extend to their line of internet DSL modem/routers? My former ISP was Century Link, and they use a customized Zyxel modem for their DSL service up to ~ 30 Mbps and maybe faster (used the VDSL protocol). There must be many tens or hundreds of thousands of those out there...

My unit was a C1100Z modem router, in service for 3 years.
According to the updated CERT and ZyXEL advisories, it appears that it is limited to various firewall, VPN, and NAS devices. It does not look like modems, routers, or switches are affected.
 


Ric Ford

MacInTouch
Here's some more perspective of how bad Mac malware is becoming... (and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?):
$2 billion is a lot of motivation, and North Korea has advanced hacking capabilities....
BleepingComputer said:
US Charges Two With Laundering $100M for North Korean Hackers

... "The August 2019 UN Security Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as much as $2 billion, of which $571 million is attributed to cryptocurrency theft. This revenue allows the North Korean regime to continue to invest in its illicit ballistic missile and nuclear programs."

While the DoJ and OPAC haven't named the two hacked crypto exchanges, the two press releases hint at potential connections to Lazarus Group campaigns detected and reported by Kaspersky in 2018 and 2020.
Kaspersky said:
Operation AppleJeus Sequel
The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology.

To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.
 


Ric Ford

MacInTouch
Here's some information that looks useful - an encyclopedia of malware detection-evasion tricks, including a page about macOS:
Check Point Research said:
Evasions: macOS
... Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine. Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts